DB Networks launched an SQL security-focused intrusion detection system designed to detect obfuscated attacks through behavioral analysis.
Unlike signature-based intrusion detection systems
Because hackers are getting adept at using obfuscation to get around signature-based perimeter defenses, many network security vendors are adding behavioral analysis techniques, but most of them are focused on the perimeter, said Brett Helm, chairman and CEO of Carlsbad, Calif.-based DB Networks. Helm said his company is the first to adopt these new techniques specifically for SQL security.
"We're operating between the application servers and the database," Helm said. Protecting traffic in this domain requires a different kind of protocol expertise. While many perimeter defense specialists rely on decoding protocols like HTTP, DB Networks decodes the SQL protocols of Oracle Server and Microsoft SQL server.
"We're doing behavioral analysis of SQL statements that are emerging from the applications. We're modeling the behavior of the application and not the end users. If that application were to send a rogue SQL statement, that would set off an alarm," said Mike Sabo, vice president of marketing at DB Networks.
The DB Networks IDS-6300 appliance is aimed at enterprises that place a high priority on SQL security in tiered applications and that have the ability to detect malicious traffic between application servers and database servers.
The appliance uses more than a dozen analytics engines to scrutinize traffic hitting database servers, searching for telltale signs of trouble, such as strange SQL syntax or odd requests to add or pull objects from a database.
"This is a cool technology that does a neat job, but it's very focused. If you're dealing with thousands of users or a lot of protected data, this is valuable," said David Monahan, research director at Boulder, Colo.-based Enterprise Management Associates. "In cases where the data is the key element, this is a very valid and singular technology you could deploy. If you are looking at a broader set of attacks -- such as who is banging on my application server and what are they doing -- then you would want other technologies out in front of the application server."
Good software development is the best SQL security, but…
In theory, a well-architected application would disallow any SQL injection attacks to begin with, Monahan said. Malicious database queries that sneak through perimeter defenses via obfuscation wouldn't be able to inject bad data or commands into SQL databases if applications were written to reject external query commands. Unfortunately, most enterprises lack the vigorous software development lifecycle controls to protect against malicious SQL queries, he said.
In application development, "there is cheap, there is fast and there is good, and usually only two of them can be true," Monahan said. "In these development shops they pick fast, and [they] flounder over [the question that] if we make it fast and cheap, it's not going to be good. But we'll get it out there anyway. It's obvious that due diligence is not where it needs to be. And that's why this technology is called for, because they know their applications stink in a lot of cases."